| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1662404120-24338-2-git-send-email-quic_deesin@quicinc.com>
Date: Tue, 6 Sep 2022 00:25:20 +0530
From: Deepak Kumar Singh <quic_deesin@...cinc.com>
To: <bjorn.andersson@...aro.org>, <swboyd@...omium.org>,
<quic_clew@...cinc.com>, <mathieu.poirier@...aro.org>
CC: <linux-kernel@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>,
<linux-remoteproc@...r.kernel.org>,
Deepak Kumar Singh <quic_deesin@...cinc.com>
Subject: [PATCH V2 2/2] rpmsg: glink: Add lock to rpmsg_ctrldev_remove
Hold ctrl device lock in rpmsg_ctrldev_remove to avoid any
new create ept call to proceed, otherwise new ept creation
and associted char device may suceed. Any further call from
user space for rpmsg_eptdev_open will reference already freed
rpdev and will result in crash. Below crash signature was
observed -
rpmsg_create_ept+0x40/0xa0
rpmsg_eptdev_open+0x88/0x138
chrdev_open+0xc4/0x1c8
do_dentry_open+0x230/0x378
vfs_open+0x3c/0x48
path_openat+0x93c/0xa78
do_filp_open+0x98/0x118
do_sys_openat2+0x90/0x220
do_sys_open+0x64/0x8c
Signed-off-by: Deepak Kumar Singh <quic_deesin@...cinc.com>
---
drivers/rpmsg/rpmsg_ctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/rpmsg/rpmsg_ctrl.c b/drivers/rpmsg/rpmsg_ctrl.c
index 107da70..4332538 100644
--- a/drivers/rpmsg/rpmsg_ctrl.c
+++ b/drivers/rpmsg/rpmsg_ctrl.c
@@ -194,10 +194,12 @@ static void rpmsg_ctrldev_remove(struct rpmsg_device *rpdev)
struct rpmsg_ctrldev *ctrldev = dev_get_drvdata(&rpdev->dev);
int ret;
+ mutex_lock(&ctrldev->ctrl_lock);
/* Destroy all endpoints */
ret = device_for_each_child(&ctrldev->dev, NULL, rpmsg_chrdev_eptdev_destroy);
if (ret)
dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
+ mutex_unlock(&ctrldev->ctrl_lock);
cdev_device_del(&ctrldev->cdev, &ctrldev->dev);
put_device(&ctrldev->dev);
--
2.7.4
Powered by blists - more mailing lists